I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error

Code:

/dev/sda1 failed to mount as /lib

So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!

Jeff

maybe a little bit too late but im sure i know what your problem is/was:
you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.

(replace disc0 with the actual disk. dunno which one sda is ...)

greets,
hulk_________________Linux: "Free as in free speech, not as in free beer"

maybe a little bit too late but im sure i know what your problem is/was:
you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.

Thanks, but my system is pure udev so I don't think that is the problem. (good thought though)

But now I'm on to a new problem. I put my key an a CD (/dev/hdd works in the build_initrd, so I assume /dev/sda1 should have.) and went from there. But now I end up with pivot_root failing. The error says something about older kernels not including pivot, but that seems to be a default error. I'm using 2.6.4-ck2, which should be fine.

Very glad I copied my root to another HD!

Jeff_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

Hmm, I'm baffled. If I boot from my backup root, I can decrypt and manually pivot to the new root. So the problem is neither a corrupted partition or a kernal that can't pivot. So... I'm not sure what to try next. build_initrd.sh doesn't copy /sbin/pivot_root to /boot but it looks like it makes its own version against dietlibc.

Doh. I wish I got a little more useful error messages on boot.

Jeff_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

must have something to do with the ramdisk.
the error sounds familiar to me but atm i dont remeber what it was

Aha! Got it... because I was running build-initrd from a root other than the one I was trying to pivot to, an empty but crucial directory was missing. Pivot_root takes 2 arguments: the new root to mount, and the mount point for the old root, relative to the new root. There was no place to mount my old root, so it failed.

Mounting the new root and creating /initrd was all it took.

(edit)
That, and changing my /sbin/rc to mount /dev/ram1 on /mnt/.init.d rather than /dev/ram0, since that was already in use. RC really should make sure the ramdisk isn't already in use before it tries to use it.

Now to get it to read my key off the USB drive...
(/edit)_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)

I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.

I had a really, really, really hard time entering my password phrase!! _________________... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!

in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)

I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.

I had a really, really, really hard time entering my password phrase!!

There is certainly a way! I use a dvorak keyboard and it takes me a long time to get my passphrase entered using qwerty!

In build_initrh.sh, set the option

Code:

LOADNATIONALKEYB=1

Then copy your keymap to /boot/default.kmap. Note that this file must not be zipped! So if you use the one in /usr/share/keymaps, unzip it! An easy way to get around this is to use dumpkeys after your layout is loaded.

Code:

dumpkeys > /boot/default.kmap

In fairness, I should point out that kswtch already said this, which I just noticed. Not trying to steal his/her thunder! _________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

Sorry to bog down this thread with a probably trivial question. But I have encounterd the following problem. When I attempt to run sh build-initrd.sh(last step in 2c2) I receive one of the two following errors.

1.tmp-c-4118.c: In function `main':
tmp-c-4118.c:331: warning: label `fail5' defined but not used
15+0 records in
15+0 records out
ioctl: LOOP_SET_FD: Device or resource busy
and the script fails.I am at a total loss as to how to work around this //edit figured it out.

2.Or sometimes the script returns "makefs.minix no such file or directory".
I understand(from the loop-aes readme) that there is mkminix directory in util-linux but the included documentation did not helo me with how to install or what ever needed to be done. This now where I am stuck.

Any help would be appreciiated (try to be explicit ,linux user for approx. 3 days : ] )
I am using the following Kernel=2.6.5. with devfs not enabled

What happens if the filesystem gets corrupted? What happens if the system goes down unexpectedly? As far as i know when you encrypt something all it takes is 1 damaged bit to lose everything... Will only open files be lost or the entire partition?

Just for your information, this is what some1 called "spider" replied to me on the security mailinglist:

Quote:

To note here is that when you talk about encrypted filesystems, You are in fact talking about encrypted block devices. The filesystem resides inside the encrypted block, so any damage on the filesystem level, will only damage files in the filesystem, it will not auto-corrupt the whole filesystem. (unless you get severe damage to the filesystem, and that'd be just as bad with as without the encryption)

True, encrypted devices are more sensitive to hardware errors, things like a loose cable, a faulty sector, will corrupt a block (Most encryptions are block ciphers based on 512 or larger blocks of data) which will then corrupt a bit more data than otherwise.

However, in practice this is less likely to be an issue, since if you care enough to encrypt your partitions, You already care enough to make regular backups in encrypted format, right?

_________________... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!

Is there a way to mount different partitions with the same password without having to type the pasword multiple times?_________________... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!

^^ jeffrice
You were right about mkfs.minix not being in /sbin , however I do have Minix fs support enabled. Could I get around this by using the included src code in util-linux
specifically in either .. /util-linux/disk-utils or /uitil-linux/mk-minix-0.1.
The loop-aes readme alludes to this stating
" build-initrd.sh script depends on having minix file
system support in the kernel and working mkfs.minix program binary.
Util-linux includes source for mkfs.minix if you don't have it and need to
build it yourself."
The included docs just don't seem to help me with installation.Any help would be appreciated

Ah. Okay, first emerge util-linux. Then follow the instructions for patching and installing the components that loop-aes needs. Most of the components in the ebuild don't need patching, so I found it easier to emerge it and then download the source and patch mount and the couple other proggies that needed it.

J_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

In case anyone is looking for a good encryption system for Windows, Cross-Crypt is an open-source AES and Twofish-enabled system that will also easily use your GPG keys if GPG is installed. Encrypted containers are mounted as drives. A GUI is also available, although I don't think it supports GPG keys.

Jeff_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl

I do not have an encrypted root file system so encrypting it with a non-random key and then piping the password to losetup at start-up is not an option because the password file would not be encrypted. I already have an encrypted /home partition so typing two different very long passwords in would be annoying.

I suppose it would be possible to create a small encrypted partition with the passwords to my /home and /tmp partition on and then pipe the passwords to losetup from there. This seems like a good idea, especially since I am thinking of encrypting /var as well but I am not sure if this will work with the /etc/init.d/localmount script. Would I have to remove /home and /tmp from fstab, then change localmount to something like:

Also is there a way to make it so you are asked for your password again if you type it in wrong instead of carrying on with the boot process? Asking for it again a maximum of 3 times would be useful.

Finally, for anyone who uses a multi-key gpg key file you will not be able to access your data from a KNOPPIX CD because it uses an older version of losetup. According to the loop-aes readme file, "Setting up multi-key gpg key-file and using that key-file with old single-key only aware losetup/mount programs is *dangerous*."

Is it possible to encrypt the /tmp partition in a similar way to the swap partition - a new random key is generated each time you boot?

I guess you would have to create a new filesytem on the /tmp device each time._________________... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!

I just thought I would mention that in the UK, "It remains a criminal offence under the Act (s.53), punishable with up to two years imprisonment, to fail to surrender an encryption key. The Act places the onus on the recipient of the notice to show why any encryption key cannot be surrendered." -http://hamiltons-solicitors.co.uk/archive-docs/combat-cybercrime2.htm

This is quite frightening because you are guilty until proven innocent. If you can't prove that you have genuinely lost your key then you are in trouble. IANAL but I think that if you were to encrypted your /tmp partition with a random key at each boot and your init scripts reflected this you would be OK.

Steganography seems the only viable solution to making sure that no one else will be able to read your data. StegFS is a steganographic file system for Linux - http://stegfs.sourceforge.net/ Unfortunately it does not have support for 2.4/2.6 kernels at this point in time. StegHide (in portage) is good for hiding individual files, especially for sending them over the internet.

I'm experiencing a very weird problem. I've successfully encrypted my root, swap, etc...
I've been running this machine for 3 months already. I haven't experienced any problems. However, today i try to extract a very large tar file. There's twelve 50 MB rar files within this huge tar file. There's also a checksum file that comes with the tar file in which it will validates all 12 of these large 50 MB rar files.
I've tried to extract these files many different times. Every time after I extracted these rar files from the huge tar file, I check it with the checksum file. And every single time, it gives errors but on different rar files.
The odd thing is, every time I extract from the tar file, different rar files gets corrupted. Therefore, i want to know if this has anything to do with encrypted file system, or is there something I might have done that may cause this error.
Just for the record, I run reiserfs on the loopback device backed by /dev/sdaX.

I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error

Code:

/dev/sda1 failed to mount as /lib

So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!

Jeff

I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.

I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.

Hmm, well my situation was a little different. First, I use Udev so the drive IDs are different. But my problem mostly was the fact that I had a fat32 USB drive but compiled vfat as a module. Once I put it in the kernel, everything was fine.

J_________________A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph CampbellKingfisherAthlon-XP: 2.6.7-love8-ck5 +nptl